F-Secure Creates Tool to Detect, Remove Flashback Malware From Macs

The security software vendor offers an automated tool to address the exploit that has infected more than 600,000 Macs, and questions why Apple hasn’t yet done the same.

Security software vendor F-Secure has released an automated tool designed to detect and remove the Flashback malware from Macs, becoming the latest vendor to beat Apple in offering users a way to clean their infected systems.

F-Secure had already published manual directions that Mac users could follow to detect and remove the Flashback exploit, which uses vulnerabilities in Java to infect the system. Now, the company is offering an automated tool. According to antivirus vendors Kaspersky Lab and Doctor Web, the malware already has hit more than 600,000 Macs, or between 1 and 2 percent of the Macs in use worldwide.

Mac users can download the F-Secure tool from the companys Website. After downloading it, users need to unzip the file and then follow the instructions to determine if the system is infected with the Flashback malware. If an infection is found, the malware is moved into an encrypted zip file in the users Home folder. The zip file is tagged with the password infected, according to F-Secure.

Users will then see instructions for cleaning their systems.

Apple systems, which users have long felt were highly resistant to viruses, have come under greater attack over the past year through such malware as the Tsunami and Revier/Imuler Trojans, and the Mac Defender fake antivirus program. However, the Flashback exploitwhich was first discovered last yearhas been the most damaging.

The malware first started as a classic Trojan, masquerading as an update to Adobe Flash, but now is more of a drive-by exploit, infecting systems when users surf to a compromised or malicious Website.

Apple officials are taking increasing criticism for how theyve handled the situation. Oracle, which owns Java, several weeks ago patched the vulnerability in Windows PCs. However, it wasnt until last week that Apple sent out the patch for Macs, a delay that security experts said opened the door to the large number of infections.

A host of security software vendorsincluding Kaspersky, F-Secure and Integohave offered free tools for detecting and removing the Flashback malware. In addition, a software developer also released a tool for users to check for the exploit, essentially automating the manual procedure that F-Secure had laid out.

Apple officials announced April 9 that their engineers were working on tools to detect and remove the Flashback malware, but they gave no indication when that tool would be available. In his April 10 blog post announcing the automated tool, Mikko Hypponen, chief research officer for F-Secure, took Apple to task for its slow response.

Apple has announced that it's working on a fix for the malware, but has given no schedule for it, Hypponen wrote. Quite surprisingly, Apple hasn't added detection for Flashbackby far the most widespread OS X malware everto the built-in Xprotect OS X antivirus tool. Also note that Apple has not provided a patch for the Java vulnerability used by Flashback for OS X v10.5 (or earlier).

More than 16 percent of Macs still run OS X 10.5, he said.

Apple noted that it released a Java update April 3, fixing the Java security flaw in systems running OS X v.10.7 and Mac OS X v10.6. In their notice about Apple developing the detection and removal tool, the officials suggested that Mac users running Mac OS X v10.5 or earlier should disable Java in their Web browser preferences.

Apple also appears to be having difficulty dealing with the security community. The security software vendor Doctor Web had used a sinkhole operation to monitor the Flashback malware and determine that more than 600,000 Macs had been infected. Boris Sharov, CEO of the Russian company, told Forbes.com that after Doctor Web had sent all the information it had to Apple, he never heard back from Apple officials. In fact, the notoriously private Apple at one point asked a registrar to shut down a domain that Doctor Web was using as part of its sinkhole operation.

Sharov said he believed the move was an honest mistake, but that it was an indication that Apple needs to improve its relationship with security software companies.